Flash Player header

Cryptocurrency miners are now being distributed by a new campaign pretending to be Adobe Flash Player installers. While this is not new, this particular campaign is going the extra mile to appear legitimate by not only installing a miner, but also updating Flash Player as well.

Fake Flash Player installers with miners are not new, but in the past they have always just installed the miner and then either exited or opened a browser to the Adobe Flash Player web site.

In a new malware campaign discovered by Palo Alto Unit 42 researcher Brad Duncan, it was found that a fake Flash Player Trojan not only installed a XMRig miner, but it also automatically updated his installed Flash Player. This real Flash installer was downloaded by the Trojan from Adobe's site.

Trojan upgrading Flash Player
Trojan upgrading Flash Player

By actually performing an upgrade of the desired program, it makes the user less suspicious and adds further legitimacy that the Trojan was a real Adobe installer for Adobe Flash Player.

"The installers caused traffic behind the scenes to retrieve the official Adobe Flash player from Adobe servers," Duncan told BleepingComputer. "They worked very similar to an actual Flash installer."

While Flash Player is now udpated, what the victim does not know is that a coinminer was silently installed on the computer and started. Once started, this sample would connect to a mining pool at xmr-eu1.nanopool.org and begin to use almost 100% of the computer's CPU in order mine the Monero digital cryptocurrency.

Explorer.exe CoinMiner using up the computer's CPU
Explorer.exe CoinMiner using up the computer's CPU

Tracking the installers

Duncan noticed that this campaign was downloading fake Flash installers using URLs that contained "flashplayer_down.php?clickid=", with some of the downloads being hosted on Amazon AWS instances.

Based on the amount of of fake Flash players released from March through September 2018, he was able to see that this campaign started to be heavily distributed at the end of July through the end of September.

Graph of tnstallers matching the flashplayer_down.php string
Graph of tnstallers matching the flashplayer_down.php string

Unfortunately, Duncan told BleepingComputer that he was unable to find the actual web sites that were distributing these fake Flash Player installers.

The take away from this, is that you should only download and install Adobe Flash Player installers directly from the Adobe.com site.

If you see a non-Adobe site offering a Flash installer, just close the browser. These are not the Flash Player installers you are looking for.

Related Articles:

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

Emotet Banking Trojan Loves U.S.A Internet Providers

Make-A-Wish Website Compromised for Cryptojacking Operation